The ISO27701 standard could be a game changer for the area of privacy compliance, as the number of privacy-related laws expands worldwide. Here we describe how the standard is laid out and how it maps onto the ISO27001 and ISO27002 standards which it extends. It’s worth spending some time to fully understand how ISO27701 works, as it is not always immediately obvious to the reader. We should mention that CertiKit has had the interpretation set out in this article confirmed by the British Standards Institute (BSI).
Requirements and guidance
The main point is to recognise the difference between requirements, which are audited against, and guidance which is not. In ISO standards, requirements are stated using the word “shall” and guidance generally uses the word “should”. For example:
The organisation shall determine its role as a PII controller (including as a joint PII controller) and/or a PII processor.
and:
The organisation shall identify and document the specific purposes for which the PII will be processed.
…are both requirements. The first relates to the management system and the second is a control. If these requirements have not been met, a nonconformity may be raised during an audit.
However,
The organisation should ensure that the use of mobile devices does not lead to a compromise of PII.
and:
Roles and responsibilities for the processing of PII should be determined in a transparent manner.
…are both guidance and so are recommended, but still optional, and a nonconformity can’t be raised against them at an audit (although an observation might be made at the discretion of the auditor).
Other words may be used in an ISO standard and their accepted meaning is as follows:
“Shall” indicates a requirement;
“Should” indicates a recommendation;
“May” indicates a permission;
“Can” indicates a possibility or a capability.
Information marked as “NOTE” is for guidance in understanding or clarifying the associated requirement.
ISO27701 clauses
Let’s take each of the clauses of the ISO/IEC 27701 standard and look at what it covers and whether it contains requirements (which are audited) or guidance (which is not audited).
Clause 5 describes how the ISO/IEC 27001 management system must be adapted to cater for privacy as well as information security. These are requirements. Note that there are in fact only two parts of the management system that require specific adaption – context and planning, although there is also a need to look at all areas to include privacy considerations within them.
Clause 6 provides additional privacy-related guidance for the controls set out in Annex A of the ISO/IEC 27001 standard, and which are more fully described in the accompanying code of practice, ISO/IEC 27002. These are recommended enhancements to the control set and may be considered to be guidance. Clause 7 sets out guidance for the additional controls for controllers which are listed in Annex A of ISO/IEC 27701. These controls are over and above those from Annex A of ISO/IEC 27001. However, this is guidance only.
Clause 8 explains similar guidance for the additional controls for processors. Again, this is guidance, not requirements.
The annexes
Annex A contains a table setting out the additional controls for PII controllers. These controls may or may not be applicable in the same way as the controls in Annex A of ISO/IEC 27001 may or may not be applicable (and as detailed in the Statement of Applicability for ISO/IEC 27001). Where applicable, these controls may be considered as requirements. The guidance for these is contained in Clause 7 above.
Annex B contains a table setting out the additional controls for PII processors. Again, their applicability needs to be determined and documented as they may not all apply. Where applicable, these controls may be considered as requirements. The guidance for these is contained in Clause 8 above.
Annexes C, D and E provide a cross-reference of ISO/IEC 27701 onto ISO/IEC 29100 (privacy framework), the GDPR (the EU General Data Protection Regulation) and the two standards ISO/IEC 27018 (protection of PII in the cloud) and ISO/IEC 29151 (code of practice for PII protection).
Annex F gives a little more detail about how the current wording in ISO/IEC 27001 should be adapted to refer to privacy also.
What to focus on for certification
The main point to repeat at this time is that certification to an ISO standard is all about requirements and controls. The guidance does not form part of these requirements and is not audited against. So, if your organisation is looking to become certified to ISO/IEC 27701 (having already been certified to ISO/IEC 27001) then the areas to focus on are:
Clause 5
Annex A
Annex B
… because these contain the requirements and the controls. Clauses 6, 7 and 8 give guidance in the same way as ISO/IEC 27002 gives guidance for ISO/IEC 27001. To be clear, for information security an organisation becomes certified to ISO/IEC 27001 because that contains the requirements. An organisation does not become certified to ISO/IEC 27002 because that only has guidance.
It’s the same for ISO/IEC 27701; stick to the requirements and controls parts when preparing for certification and don’t feel that you must do everything that is stated in the guidance sections (although if it’s appropriate and you can, then by all means go for it).
